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For: METHOD FOR VERIFYING CODE TRANSFORMERS 

FOR AN EMBEDDED SYSTEM, IN PARTICULAR 
IN A CHIP CARD 

McLean, Virginia 

PRELIMINARY AMENDMENT 

Honorable Commissioner of Patents 

and Trademarks 
Washington, D.C. 20231 

Sir: 

Please amend the subject application, filed concurrently herewith, as 
indicated below: 
IN THE TITLE: 

Delete "TRANSFORMERS" and substitute -TRANSFORMATION--; 

Delete ", IN PARTICULAR IN A CHIP CARD-. 
IN THE SPECIFICATION : 

After the title and before the first paragraph on page 1 , insert the 
following heading at the left-hand margin: 
- FIELD OF THE INVENTION- -: 

Page 1 , line 4, delete "transformers" and substitute -transformation of 

a-; 
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Page 1 , line 6, after "transformer", insert -or converter--; 

Page 1, line 8, before the paragraph beginning "In the context...", 
insert the following heading at the left-hand margin: 
- DESCRIPTION OF RELATFD ART -- 

Page 3, at line 8, and before the paragraph beginning "The object of 
the ..." insert the following paragraph at the left-hand margin: 
- SUMMARY OF THE INVENTION -: 

Page 3, line 19, delete "transformers" and substitute -transformation-; 

Page 3, line 32, delete "a transformer" and substitute -transformation 

of-; 

Page 4, line 18, after "transformer", insert -or converter--; 
Same line, after "chip", insert -(smart)-; 

Page 4, at line 19 and before the paragraph beginning "The invention 
will now...", insert the following heading at the left hand margin: 
- BRIEF DESCRIPTION OF THE DRAWINGS- : 

Page 4, at line 29 and before the paragraph beginning "Fig. 1 
schematically...", insert the following heading at the left hand margin: 
- DETAILED DESCRIPTION OF THE INVENTION -: 

Page 4, line 31 , after "transformer", insert -or converter-; 

Page 5, line 1, after "transformer", insert -or converter-; 

Page 9, line 31 , before "chip", insert -memory of the-; 

Page 10, line 1 , after "transformer", insert -or converter-; 

Page 10, line 18, before "converter", insert -transformer or--; 

Same line, after "converter", insert -means--; 

Page 15, line 3, delete "a transformer" and substitute -transformation 
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is--; 

Page 15, line 4, delete "this" and substitute -the--; 
Page 15, after line 25, insert the following new paragraph: 
-While this invention has been described in conjunction with specific 
embodiments thereof, it is evident that many alternatives, modifications and 
variations will be apparent to those skilled in the art. Accordingly, the 
preferred embodiments of the invention as set forth herein, are intended to be 
illustrative, not limiting. Various changes may be made without departing 
from the true spirit and full scope of the invention as set forth herein and 
defined in the claims. — 

IN THE CLAIMS : 

Please cancel claims 1 - 5 in their entirety and without prejudice and 
substitute the following new claims. 

1 ~6. A method for verifying transformation of a source code (1) into a 

2 transformed code (3) designed for an embedded system, said source and 

3 transformed codes being associated with virtual machines, characterized in 

4 that it comprises at least the following steps: 

5 - determining, for each of said source (1) and transformed (3) codes, a 

6 first common subset (13), constituting a single virtual machine that factors in 

7 the behavior of said source and transformed codes (1 ,3); 

8 - determining, for each of said source (1) and transformed (3) codes, a 

9 second subset (1 0, 30) constituted by a plurality of so-called auxiliary 

10 functions (10/- 30,) used by said single virtual machine, said auxiliary 

11 functions (1 0, - 30/) representing residual differences between said source (1) 

12 and transformed (3) codes; 
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- associating said auxiliary functions in pairs, a first auxiliary function 
(10/) of each pair belonging to said second subset (10) associated with said 
source code (1) and a second auxiliary function (30/) of each pair belonging to 
said second subset (30) associated with said transformed code (3); 

- verifying (6) a given correspondence property between said auxiliary 
functions (10, -30/) of all of said pairs; and 

- verifying that said transformation of the source code (1) into a 
transformed code (3) satisfies said given correspondence property. 

7. A method according to claim 6, characterized in that said 
correspondence property is a logical relation, so that said auxiliary functions 
of each of said pairs (10/- 30/), when executed, generate results linked by 
said logical relation. 

8. A method according to claim 6, characterized in that said logical 
relation is an identity relation for observable entities of each of said source 
and transformed codes, for any pair of auxiliary functions, so that the 
functionalities of said source code (1) are retained when said transformation 
into said transformed code (3), and said verification of the code 
transformation are performed. 

9. A method according to claim 6 further comprising applying the 
steps of the verification of transformation to a code transformer (2) and 
generating from said source code (1), a transformed code (3) in a memory 
(71) of a chip card (7). 

10. A method according to claim 7 further comprising applying the 
steps of the verification of transformation to a code transformer (2) and 
generating from said source code (1), a transformed code (3) in a memory 
(71) of a chip card (7). 

11. A method according to claim 9, characterized in that, said 
transformed code is a program written in the virtual machine of a given 
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3 computer language, and said chip card (7) stores a plurality of software 

4 applications (Ai through A n ) written in said transformed code (3). 

1 1 2. A method according to claim 1 0, characterized in that, said 

2 transformed code is a program written in the virtual machine of a given 

3 computer language, and said chip card (7) stores a plurality of software 

4 applications (Ai through An) written in said transformed code (3). 

1 1 3. A method according to claim 9, characterized in that said source 

2 code (1) is a program written in a "JAVA" virtual machine and said 

3 transformed code (3) is a program written in a "JAVA CARD" virtual machine. 

1 1 4. A method according to claim 1 0, characterized in that said 

2 source code (1) is a program written in a "JAVA" virtual machine and said 

3 transformed code (3) is a program written in a "JAVA CARD" virtual machine. 

1 1 5. A method according to claim 1 1 , characterized in that said 

2 source code (1) is a program written in a "JAVA" virtual machine and said 

3 transformed code (3) is a program written in a "JAVA CARD" virtual machine. 

1 16. A method according to claim 12, characterized in that said 

2 source code (1) is a program written in a "JAVA" virtual machine and said 

3 transformed code (3) is a program written in a "JAVA CARD" virtual 

4 machine. ~ 
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IN THE ABSTRACT: 

Please cancel the Abstract at page 18 and substitute the following new 
Abstract: 
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-ABSTRACT 

The invention relates to a method for verifying transformation (2) of a source 
code (1) into a transformed code (3) designed for an embedded system (7) such as 
in a smart card or other portable or mobile device including data processing 
5 resources. The method comprises at least the following steps: determining a single 
virtual machine that factors in the behavior of both of these codes (1 , 3), determining 
for each source code (1) and transformed code (3) a plurality of auxiliary functions 
representing the residual differences between said source code (1) and transformed 
code (3), and a step for verifying a correspondence property between the auxiliary 
10 functions, the verification of the code transformation (2) being obtained from this last 
step.-- 
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REMARKS 


This Preliminary Amendment is filed to insert headings to conform the 
application to U.S. practice, to eliminate the use of multiple dependent claims, and to 
correct informalities in the specification, claims and abstract resulting from a literal 
translation of the French text. 

Early action on the merits is earnestly solicited. 


Respectfully submitted, 


MILES & STOCKBRIDGE P.C. 


Date: March 1 . 2001 



1751 Pinnacle Drive - Suite 500 
McLean, VA 22102-3833 
Tel.: 703/903-9000 
Fax: 703/610-8686 
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International 
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U.S. Filing Date: 

For: 


Christian GOIRE ET AL. 

PCT/FR00/01815 
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To be Assigned 
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METHOD FOR VERIFYING CODE TRANSFORMERS 
FOR AN EMBEDDED SYSTEM, IN PARTICULAR 
IN A CHIP CARD 

McLean, Virginia 

PROPOSED DRAWING CORRECTIONS 

Hon. Commissioner of Patents and Trademarks 
Washington, D.C. 20231 

Sir: 

Applicant requests approval of the drawing corrections on Fig. 1 - 3 as shown in red 
on the attached two (2) sheets. 

The proposed corrections only comprise labeling of the blocks of the drawings to 
conform to the specification and claims and removing the headings "1/2" to "2/2" to conform 
the drawings to U.S. practice. 

Respectfully submitted, 
M I LE STOCj^BRIDGE P.C. 

Date: March 1 . 2001 



1751 Pinnacle Drive - Suite 500 
McLean, VA 22102-3833 
Tel.: 703/903-9000 
Fax: 703/610-8686 


Edward J 
Registrati 


L Koftdracki 
i6n No. 20,604 
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Verification of Translation 


I, Robin Holding, having an office at 948 15th Street, #4, Santa Monica, CA 
90403-3134, hereby state that I am well acquainted with both the English and French 
languages and that to the best of my knowledge and ability, the appended document is a 
true and faithful translation of 


Int'l. Patent Application No. pct/froo/01815 

Filed 011 -Tuns 78. 700 

BULL CP8; Institut National de la Recherche En 
In tne name Of Tnfm-mat-irpiP P f P n tm-nmat-n-qnp a t. q Centre 
National de la Recherche Scientif ique 
Inventors: Christian GOIRE ET AL. 

I further declare that the above statement is true; and further, that this statement is 
made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment or both, under Section 1001 of Title 18 of the United 
States Code and that such willful false statements may jeopardize the validity of the 
application or any patent resulting therefrom. 


February 26, 2001 Q-j/Hi, f/lrfCL u- c 

Date Robin Holding 
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METHOD FOR VERIFYING CODE TRANSFORMERS FOR AN 
EMBEDDED SYSTEM, IN PARTICULAR IN A CHIP CARD 


The invention relates to a method for verifying code transformers for an 
5 embedded system. 

The invention also relates to the application of such a method to a transformer 
for generating a code for a chip card. 

In the context of the invention, the term "embedded system' should be 
considered in its most general sense. It specifically includes systems designed for a 
10 chip card, which constitutes the preferred application of the invention, but also any 
system designed for a portable or mobile device comprising means capable of 
processing computer data, which will hereinafter be called "processing resources." 

Modern embedded systems are equipped with data processing resources that 
make it possible to fulfill increasingly complex and increasingly numerous functions. 
15 However, despite the arrival on the market of technologies and components that are 
increasingly high-performance, a distinctive characteristic of embedded systems, as 
compared to conventional computer systems (microcomputers, workstations, etc.), 
involves the limitations they impose on resources (memory size and microprocessor 
power especially). In order to satisfy these constraints, it is necessary to transform the 
20 code designed to be executed in an embedded system. The purpose of the 

transformations is to produce a code that is more efficient and less resource-intensive. 

To illustrate the concept, and to give a non-limiting example of a code, the 
description below will center on a program written in a virtual machine in the 
"JAVA" language (a registered trademark of SUN MICROSYSTEMS), which has the 
25 advantage of being able to be executed in various environments. The fields of 
application of this language have multiplied considerably, particularly with the 
extensive growth of the Internet. Many computer applications of smal] size, called 
"applets," are written in this language and are executable by a "web" browser. 

The description will also focus on the preferred application of the invention, 
30 i.e., the execution of a code of this type by computer resources specific to a chip card. 
As indicated above, despite substantial technological progress, the memory size of the 
chip card and the power of the microprocessor with which it is equipped remain 
relatively limited. It is also important for the code to be resident in the chip card, since 


the transmissions between the latter and a host terminal of any type, tiike place at low 
speed. The current standards only provide for serial transmissions. A need has 
therefore arisen for a code that can be qualified as "reduced," or in any case optimized 
for this use. To this end, it has been proposed to use a language derived from "JAVA," 
5 existing in the form of a limitation of this language, i.e. the language 'JAVA CARD" 
(also a registered trademark of SUN MICROSYSTEMS). 

An additional complication arises from the fact that embedded systems are 
generally used in environments that require the highest guarantees in terms of both 
reliability and security. For example, there are new versions of chip cards in which it 

10 is necessary to install multiple software applications that must cooperate 

harmoniously without revealing any confidential information. In fact, a priori, these 
multiple applications may involve different users. Despite the aforementioned 
cooperation, it is necessary to maintain strict partitioning, so that the information 
related to a given user remains confidential, or at least cannot be made available to a 

15 user who is not authorized to see it (read operations) and/or manipulate it (write 
operations and the like: erasure, modification). In addition to the "confidentiality" 
aspect, there are other things to be taken into account, including the so-called 
"integrity" requirement, data losses, illegal modifications, etc. 

In terms of "source" code, in the sense of "initial code," for example the "byte 

20 code" in the aforementioned "JAVA" language, the latter offers all the necessary 
guarantees and fulfills the aforementioned requirements, the "byte code" being a 
program written in the virtual machine of the "JAVA" language. In fact, many tests 
have been performed, over long periods of time. 

The so-called "transformed" code is obtained from the "source code" by 

25 means of a code transformer, which is generally outside the embedded system, but 
can also be resident in the latter. It is therefore necessary to show equivalence 
between the source code and the transformed code. 

This can be done by guaranteeing that the transformations performed on the 
code do not in any way change its behavior (from an external point of view) and do 

30 not introduce any security loopholes. In other words, the initial code (before 

transformation) must, from a logical point of view, be equivalent to the resulting code 
(after transformation). 
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It is especially difficult to guarantee this property in general, because the 
transformations have a global effect on the code and on the representations of the data 
it manipulates. In a practical sense, the complexity implied by this operation does not 
allow it to be implemented under realistic economic and/or technological conditions. 
5 Moreover, it must be clearly understood that such needs have arisen only quite 
recently, particularly in connection with the development of the aforementioned 
multi-application and/or multi-user chip card technologies. 

The object of the invention is to meet these needs, without requiring extremely 
long and expensive procedures. 

30 The method according to the invention makes it possible to verify, in 

systematic and modular fashion, the accuracy of the code transformations. 

Within the context of the invention, two intrinsically known formalisms will 
essentially be used: operational semantics and logical relations. For a more detailed 
description of these formalisms, it would be advantageous to refer, first of all, to the 

15 book by H. R. Nielson and F. Nielson entitled "Semantics with Applications: A 
Formal Introduction" Wiley, 1992, and secondly, to the book by J. Mitchell, 
"Foundations for Programming Languages " MIT Press, 1996. 

According to an essential characteristic of the invention, the method for 
verifying code transformers consists of specifying the meaning of two codes by means 

20 of a common virtual machine parameterized by functions that will be called "auxiliary 
functions." The differences between the two codes are expressed and grouped into the 
aforementioned auxiliary functions. There are two versions of each auxiliary function: 
a version in the source code and a version in the transformed code. The first modules 
being identical, since they are common to both codes, there is no need to verify that 

25 they are equivalent. In order to show the equivalence of the two codes, one therefore 
need only show that the so-called auxiliary functions, considered two by two, are 
equivalent. These two subsets can be made much more complex than the two sets 
represented by the two codes, source and transformed, considered in their entirety. It 
follows that, according to the method of the invention, the difficulty inherent in the 

30 verification process is substantially reduced, and correlatively, the verification process 
becomes economically and technologically feasible. 

The subject of the invention is a method for verifying a transformer of a so- 
called source code into a so-called transformed code designed for an embedded 


system, said source and transformed codes being associated with virtual machines, 
characterized in that it comprises at least the following steps: 

- determining, for each of said source and transformed codes, a first common 
subset, constituting a single virtual machine that factors in the behavior of these two 

5 codes; 

- determining, for each of said source and transformed codes, a second subset 
constituted by a plurality of so-called auxiliary functions, said auxiliary functions 
representing residual differences between said source and transformed codes; 

- associating said auxiliary functions in pairs, a first auxiliary function of each 
10 pair belonging to said second subset associated with said source code and a second 

auxiliary function of each pair belonging to said second subset associated with said 
transformed code; 

- verifying a given correspondence property between said auxiliary functions 
of all of said pairs; and 

15 - verifying that said transformation of the source code into a transformed code 

by said converter satisfies said given correspondence property. 

Another subject of the invention is the application of such a method to a 
transformer for generating a code designed to be stored in a chip card. 

The invention will now be described in greater detail in reference to the 
20 attached drawings, in which: 

- Fig. 1 schematically illustrates the process for transforming a. source code 
into a final transformed code; 

- Figs. 2A and 2B schematically illustrate one of the essential characteristics 
of the method according to the invention; and 

25 - Fig. 3 schematically illustrates the application of the method according to the 

invention to a chip card. 

The following will describe in detail the method for verifying code 
transformers according to the invention. 

Fig. 1 schematically illustrates the method for transforming a code 1, which 
30 will be called a "source code" in the sense of an original or initial code, into a final 
code 3, called a "transformed code", by means of a code transformer 2. The latter 
device can be a computing means or a specific piece of software. Ordinarily, the 
transformed code is designed to be resident in the embedded system 4 (solid line). 


The transformer 2 can also be resident in or downloaded into the embedded system: 
reference 4' (broken line). 

After being loaded into or stored in the embedded system 4-4', the transformed 
code 3 makes it possible to execute one or more tasks as necessary, represented by the 
5 single reference 5. The embedded system 4 is assumed to have standard autonomous 
computing resources (not represented). 

A priori, the code transformation is performed once and for all by a given 
transformer 2, or on rare occasions, involves a modification of a version of the 
original code or source code 1, for example. 
10 It is therefore necessary to be able to establish a formal proof that the 

transformed code 3 is equivalent to the source code 1 . This process makes it possible 
to verify whether the transformer 2 is working correctly. 

However, as mentioned, if the two sets formed by the source and transformed 
codes are considered in their entirety, the theory goes that such a determination is 
15 generally not realistically possible. 

An essential characteristic of the method according to the invention will 
consist of finding, for each of the two codes, two subsets that will be called the first 
and second subsets. According to an important characteristic of the method according 
to the invention, the first subsets form a virtual machine common to the two codes, 
20 source and transformed. For this reason, it is not necessary to verify the equivalence 
of the first subsets. 

On the other hand, the second subsets, constituted by the auxiliary functions, 
are different from one code to the other. The determination of the equivalence of the 
source and transformed codes is therefore reduced to determining the equivalence of 
25 all the pairs of auxiliary functions of the second subsets. The residual complexity of 
the auxiliary functions can be greatly reduced. It follows that determining the 
aforementioned equivalence becomes possible. 

Figs. 2A and 2B illustrate, in highly schematic fashion, the method according 
to the invention. 

30 As shown more particularly in Fig. 2A, the first subsets of the source code 1 

and the transformed code 3 form a common virtual machine 13. The second subsets, 
10 and 30, are each constituted by a series of so-called auxiliary functions, the 
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equivalence of which must be verified. These auxiliary functions 10 and 30 
parameterize the common virtual machine 13. 

The equivalence of the two codes, source 1 and transformed 2, is therefore 
reduced to verifying the equivalence of the auxiliary functions 10 and 30, two by two, 
5 as will be shown below in reference to Fig. 2B. 

The steps of the method will now be described in greater detail. 

The source and transformed codes are associated with first and second virtual 
machines, respectively. 

The first step consists in defining a single virtual machine (or set of 
10 operational semantics) that makes it possible to factor in the behavior of the source 
code and the transformed code. The differences between the two codes therefore 
appear through auxiliary functions that will be interpreted or implemented differently 
in the two codes. 

A virtual machine may be represented by a set of rules with the following 

15 form: 

premise 1 

20 

premise n 


state 1 [Instruction 1 ] ^> s tate2 ( 1 ) . 

25 

The premises are either conditions for applying a rule, i.e. boolean 
expressions, or assignments of variables used to express a change of state. The 
premises use auxiliary functions to extract information on the state or to express 
conditions. Each rule indicates how the state of the machine changes when the 
30 premises are verified and the instruction "Instruction 1" is encountered. One or more 
rules in this form are defined for each type of instruction in the code. 

The second step consists in defining the data types or structures used in the 
two codes. It defines basic types, such as for example: 

6 


Basic ::= Nat I Bool I Name. 


(2), 


or constructed types, for example: 

5 

Environment ::= Name • Value 

Instructions ::= Instructionl I Instruction2 I ... (3), 

The third step consists in interpreting the types, referenced • , used in the 
10 virtual machines. For each type • , it defines an interpretation for the source code 
[[• ]h and an interpretation for the transformed code [[• plus a relation R. 
between the two interpretations [[.]] s and These relations, called logical 
relations, satisfy the structure of the types. For simple types, they must be explicitly 
defined: for structured types, they are deduced from the types of the components of 
15 the structure. 

For example for the pairs: 

(a, b) R 6 ixQ2 (a', b') ^zlRoj a' a R m b f (4), 

20 a relation wherein • 1 and • 2 are types and a, b, a' and b' are type elements. 
The same is true for the functions: 

fRei->m f <=>Va,a' .aReia' =>fa R 92 f a r (5), 

25 The logical relations must be "identity" relation for the observable types, i.e. 

the types for which it is desirable to show that the two codes produce the same result. 

These are usually types that are printable and/or displayable on a computer screen. 

They can be basic types, but also structured types representing, for example, a stack 

or variables of a given program. 
30 The fourth step consists in interpreting the auxiliary functions used in the 

virtual machines. For each auxiliary function/, its definition for the source code, 

written [\f]]s, and its definition for the transformed code, written [\f\] T > are given. 


7 


Determining the equivalence consists of showing that the definitions of the 
auxiliary functions correspond to the logical relations. More precisely, for each 
auxiliary function/- • • • we show 


5 


Ms IW Mr 


(6), 


It follows that the two virtual machines are related, i.e. that: 


UstateJk Ri 


type -state 


\[state]\ T 


(7). 


10 


Since the relations are the identity for the observable types, the source and 
transformed codes are observationally identical. 

The last step consists of showing that there exists a transformer • (Fig. 1: 2) 
that satisfies the logical relations. This can be done by verifying that a. given 
15 transformer • .* S • T satisfies the logical relation associated with the type of its 

argument, S being the source code (Fig. 1:1) and T being the transformed code (Fig. 
1: 3). In order to do this, it is necessary for it to obey the following relation: 


It has just been shown that the logical relations specify a set of constraints. It 
is therefore possible to extract the transformer 2 that is correct by construction, by 
applying refinement or extraction techniques, using one of the appropriate proof 
assistants. 


advantage, since it allows for a substantial mechanization of the verification process, 
and above all makes it possible to perform it successfully, since this verification is 
performed on less complex subsets. 

Since the transformation of the source code 1 can be described as a succession 
30 of simpler transformations, this method can be applied so as to show each 

transformation independently. It follows that it offers a the great advantage in terms of 
modularity. 


Vx Ms -x Re IXx) 


(8). 


20 


25 


The method according to the invention therefore offers an important 
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The verification need only be performed on the subsets of auxiliary functions 
10 and 30, as illustrated by Fig. 2B, by means of a hardware or softwiire device 6. 
There are assumed to be n auxiliary functions, referenced 10 a] , 10 w , 10i, 10 rt _ ; , 
10„ and 20 al , 20 b] , .. ., 20 i5 ...20 n -i, 20 n , respectively. If the device 6 is hardware, it 
5 comprises as many verification circuits 60 a i, 60b i, . . 60*, . . .60 n _i, 60 ri (arbitrarily 
represented in Fig. 2B by the symbol of a comparator), as there are pcdrs of auxiliary 
functions to be verified, for example the verification circuit 60i for the pair of 
functions 10i and 30j. The output or outputs of this device 6, with the single reference 
61, indicate(s) that the logical relation between all the possible pairs of corresponding 
10 auxiliary functions of the source 1 and transformed 3 codes is satisfied. This series of 
operations is enough to provide formal proof of the equivalence of the two codes in 
their entirety. 

It must be noted that the method according to the invention is just as usable a 

posteriori, i.e. in order to verify an existing transformer, as it is a priori, as an aid in 
15 developing a new transformer. It specifically makes it possible, in the latter case, to 

determine its characteristics so that it works correctly, in other words so that the 

transformed code that will be generated by this transformer from the source code 

satisfies the aforementioned equivalence requirement. 

The method will now be described in the chip card context. Fig. 3 
20 schematically illustrates the architecture of a chip card, referenced 7. In this figure, 

only these elements essential to a proper understanding of the method according to the 

invention are represented. 

The chip card 7 specifically comprises an input/output device 70 that allows 

communications with the outside world, a first fixed or programmable memory device 
25 71 (of the ROM, PROM, EPROM or EEPROM type), and a read- write memory 72. 

Lastly, the chip card 7 comprises a microprocessor or microcontroller 73 that 

dialogues with the other components of the chip card 7 through a bus. 

The software architecture of such a chip card 7 complies with the ISO 7816-3 

standard, which translates into protocol layers ranging from the lowest layers 
30 associated with the input/output devices 70 to the highest layers associated with the 

software applications stored in the chip card 7. These standards provide for the 

transmissions to take place in the serial mode. 
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The source code 1, once transformed by the code transformer 2, is transmitted 
to the chip card 7 in order to be stored, generally in the fixed or "semi-fixed" memory 
device 71 via the input/output device 70. The software application or applications run 
by the chip card 7 can be stored permanently in the chip card 7, i.e. in the memory 
5 device 71, or temporarily in the read/write memory 72. In the latter case, the 

applications are downloaded via the input/output device 70. In the example described, 
it is assumed that the chip card 7 is a multi-application or multi-user type card. It is 
therefore assumed that the chip card runs m software applications A { through A m , 
written in the transformed language 3. 

10 One of the languages commonly used for chip cards, as mentioned above, is 

the "Java Card" language. It is a language dedicated to chip card programming, a 
language that constitutes a limitation of the "Java" language. 

The card 7 can also store an additional converter that performs conversions on 
code segments in situ as they load. 

15 The steps of the method according to the invention that have just been 

described in a general context, will be illustrated more specifically within the context 
of the preferred application. 

As is known, an installation of the "Java Card" language involves a converter 
that transforms so-called "class" files into "CAP" files. A class file is a unit of 

20 complication and representation of the object code of a "Java" program. A CAP file 
groups all the classes of the same "Java Card package" and includes only one 
"constant pool." A "Java Card package" is a "Java" construction for grouping classes 
and creating name spaces. A "constant pool" is a table associated with each class file 
for "Java" and with each "CAP" file for "Java Card." This table contains constants 

25 (character strings, integers, etc.). It is used in "Java" and "Java Card" virtual 

machines. The transformation is nontrivial and global: it replaces all the names of 
packages, classes, fields, methods) with entities called "tokens," i.e., 7- or 8-bit whole 
numbers. These "tokens" serve as indices for accessing tables. In addition, the 
transformation groups all the class files of the same package into a CAP file (with a 

30 merging of the "constant pools" and a reorganization of the method tables). 

The "Java Card" language is specifically designed to be used ii banking chip 
cards. It is therefore imperative to verify the accuracy of the transformation of a 
program (or "byte code") written in the "Java" virtual machine into a program written 


in the "Java Code" virtual machine, i.e. to prove of the equivalence of these two 
programs. 

This formal proof is provided by executing the steps of the method according 
to the invention. 

5 The first step consists in defining a set of operational semantics. 

One or more semantic rules are associated with each instruction of the "byte 
code." The "byte code" is a portable assembler code. It is the object code for "Java" or 
"Java Card" virtual machines. For example, the semantic rule associated with one of 
the instructions of this code, the "getfield" instruction, can be described as follows: 

10 

fjref\- constant„pool (c)( i) 
<c_ref, iv> := h( 9 ) 
v : = iv(f_ref) 


15 

<getfield i; be, r :: opsX c, h> => <bc, v ops, l y c, h> (9). 

In the example, the state is composed of the code executed with the current 
instruction (getfield i; be) leading, a stack of operands (r ;: ops), the local variables 
20 (/), a reference to the current class (c) and the heap (h). The rule specifies the 
operations performed during the execution of getfield i: 

- The auxiliary function "constant_pool" uses the index / to obtain the 
reference f_ref of the field (a signature or a "token," depending on whether it is a 
source code or a transformed code) in the appropriate "constant pool." 

25 - The reference • to the object whose field must be read is fovtnd at the top of 

the stack. This reference makes it possible to find in the heap (h(r)) the dynamic class 
of the object c_ref (a qualified name or a pair of tokens, depending on whether it is a 
source code or a transformed code) and a list of the fields of the object (iv). 

- Using the reference previously calculated and the list of fields, the field is 
30 read ( v ; = iv(f_ref)). 

- The getfield instruction changes the state by replacing the reference to the 
object with the value of the field, and the execution continues with the rest of the code 
(be). 


n 


The second step consists in defining the types. 

In the case of the "Java Card" language, it defines the Word type for 


representing the unit of storage: 

Word = Object_ref + Null + Boolean + Byte + Short 


(10), 


As an example of the constructed type, the type of a constant pool is: 


Constant_pool = CP_index* CP info 


(11), 


with 


CPJnfo = Class_ref + Method_ref + Field„ref 


(12), 


In the example, a "constant pool" is seen as a function that takes an index (the 
type CP_index is considered to be basic) and renders an input (in this case a reference 
to a class, a method or a field). 

The type of the "byte code" is: 

Bytecode = Instruction + Bytecode; Bytecode 

Instruction = getfieldCP_index + Invoke virtual Cp„index + . . . (13), 

The "byte code" is an instruction sequence. The instruction type lists all of the 
instructions used in the "byte code" of "Java Card." 

The third step consists in interpreting the types. 

In the case of "Java Card," the interpretation for the source code, in the form 
of class files (which use names) is written and the interpretation for the 

transformed code, in the form of CAP files (which use "tokens") is written [[.] W. 

For example the type [[CPJndex]]^ is verified for the source code: 

QCPJndexJ^ = Class_name x Index (14). 
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In the name-based model, a "constant pool" index is constituted by a class 
name (to indicate the "constant pool" being referred to) and an index. 
The type [[CP_index]],^ is verified for the transformed code: 

5 [[CP_index]L fc = Package J;oken x Index (15). 

A "constant pool" index is constituted by a "package token" (in the example 
described, there is only one "constant pool" per "package" or CAP file) and an index. 
The relation R C p_index is defined as a bijection such as: (16) 

10 

{c_name, i) R C p_index (p_tok, V) => pack_name(c_name) R pac ka g e_ref p_tok 

The name of the "package" of the class containing the "constant pool" being 
referred to in the name-based module should be in relation with the "token" of the 
15 "package" containing the "constant pool" being referred to in the "token"-based 

model. The only constraint on the indices / and /' is that Rcpjndex must be a bijection 
(the inputs of the "constant pools" can then be regrouped and reordered). 
The fourth step consists in interpreting the auxiliary functions. 
For example, the version of the auxiliary function "constant_pool" for the 
20 name-based module is: 

[[constant_poolL f cp_name (17), 

with: 

25 

cp_name c = let (. . cp, . . .) = env_name(pack_name(c))(c) (18). 

in cp 

The function pack_name takes a class name and renders a "package" name, 
30 and the function env_name takes a package name and a class name and finds in the 
class hierarchy the structure representing the designated class file. The constant pool 
is extracted from the class file. 
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For the "token"-based model, the version of the auxiliary function 
[[constant_pool]] f ^ is: 


HconstanLpool]]^ = cpjtok (19), 


with: 


cp_tok c = let (. . cp, . . .) = env_tok(p) (20), 

in cp 

10 

The "constant pool" is found in the environment (i.e., the CAP files) by means 
of the function env_tok and the package token. 

The fifth step consists of proving that the auxiliary functions satisfy the logical 
relations. 

15 Referring again to the example of the function for accessing the "constant 

pool," it is necessary to determine that: 

[[constant_poolL R c P _index. cpjnfo [[constanUpool]]^ (21). 


20 The relation R cp _i n dex • cp_info is completely defined as a function of the 

relations R cp _mdex and Rcpjnfo* Based on this definition, one need only verify that: 

c_name, i) (p_tok, V) such that (c_name, i) Rcpjndexipjtok, V) 
cp^RcpjnfoCpXi') (22), 

25 

with: 


(..., cp, ...) = env name(pack_name(c__name))(c_name) 

(. . ., cp*, . . .) = env„tok(p_tok) (23). 

30 

The proof is based on the definition of R C p_j n fo and the property mentioned 
above : (24) 
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{c_name, i) R cp _index (pjkok, V) => pack_name(c_name) R pa ekage_refPJtok 

The sixth and last step of the method consists of determining a transformer 
such that the transformation of the code and the data by this converter satisfies given 
5 logical relations. For example, the references to "packages" are either names or 

"tokens" depending on the model. The associated logical relation R pa aui g e_ref^ simply 
defined as a bijection between the "package" names and the "package tokens." One 
need only verify that the function of the converter performing the transformation of 
the package names into "tokens" is actually a bijection. 
10 By reading the above, it is easy to see that the invention achieves the objects 

set forth. 

It must be clear, however, that the invention is not limited to just the 
exemplary embodiments explicitly described, particularly in relation to Figs. 2 and 3. 
Finally, although the method has been described in detail in the case of the 
15 transformation of a program of the "Java" virtual machine into a program of the "Java 
Card" virtual machine, which is particularly advantageous for chip card or similar 
applications, the invention is not in any way limited to this particular application. 

The invention can be applied whenever the device involved has relatively 
limited computing resources, particularly in terms of memory size (read/write or 
20 fixed) and/or the computational power of the processor used. For example, it applies 
to electronic books, for example of the "e-book" type, designed to download and store 
data from Internet sites, palmtop computers, for example like the so-called 
"organizers," certain mobile telephones that can connect to the Internet, etc. In all of 
these cases, it is necessary to use an optimized language in order to use the integrated 
25 computing resources to best advantage. 
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CLAIMS 


1 1 . Method for verifying a transformer of a so-called source code into a 

2 so-called transformed code designed for an embedded system, said source and 

3 transformed codes being associated with virtual machines, characterized in that it 

4 comprises at least the following steps: 

5 - determining, for each of said source (1) and transformed (3) codes, a first 

6 common subset (13), constituting a single virtual machine that factors in the behavior 

7 of these two codes ( 1 ,3); 

8 - determining, for each of said source (1) and transformed (3) codes, a second 

9 subset (10, 30) constituted by a plurality of so-called auxiliary functions (10, — 30/) 

10 used by said single virtual machine, said auxiliary functions (10, - 30;) representing 

1 1 residual differences between said source (1) and transformed (3) codes; 

12 - associating said auxiliary functions in pairs, a first auxiliary function (10/) of 

13 each pair belonging to said second subset (10) associated with said source code (1) 

14 and a second auxiliary function (30/) of each pair belonging to said second subset (30) 

15 associated with said transformed code (3); 

16 - verifying (6) a given correspondence property between said auxiliary 

17 functions (10/ - 30/) of all of said pairs; and 

18 - verifying that said transformation of the source code (1) into a transformed 

19 code (3) by said converter (2) satisfies said given correspondence property. 

1 2. Method according to claim 1, characterized in that said correspondence 

2 property is a logical relation, so that said auxiliary functions of each of said pairs (10/ 

3 - 30/), when executed, generate results linked by said logical relation, and in that this 

4 relation is the identity relation for so-called observable entities of each of said source 

5 and transformed codes, for any pair of auxiliary functions, so that the functionalities 

6 of said source code (1) are retained when said transformation into said transformed 

7 code (3), and said verification of the code transformer (2), are performed. 

1 3. Application of the verification method according to either of claims 1 

2 and 2 to a code transformer (2) that generates, from said source code (1), a 

3 transformed code (3) designed to be stored in memory means (71) of a chip card (7). 
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1 4. Application according to claim 3, characterized in that, said 

2 transformed code being a program written in the virtual machine of a given computer 

3 language, said chip card (7) is a chip card that stores a plurality of software 

4 applications (Ai through A n ) written in this transformed code (3). 

1 5. Application according to claim 3 or 4, characterized in that said source 

2 code (1) is a program written in the "JAVA" (registered trademark) virtual machine 

3 and said transformed code (3) is a program written in the "JAVA CARD" (registered 

4 trademark) virtual machine. 
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ABSTRACT 
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The invention relates to a method for verifying a transformer of a source code 


into a transformed code designed for an embedded system (7). The method comprises 
at least the following steps: determining a single virtual machine that factors in the 
behavior of both of these codes (1,3), determining for each of said source (1) and 
transformed (3) codes a plurality of so-called auxiliary functions representing the 
20 residual differences between said source (1) and transformed (3) codes, and a step 

consisting of verifying a correspondence property between the auxiliary functions, the 
verification of the code transformer (2) being obtained from this last step. 


It particularly applies to chip cards (7). 


25 


FIG- 3 
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French Language Declaration 

POUVOIRS: En fcuu que I'invenieur cite\ je designe par la 
jjr&ente I'()es) avocat(s) et/ou agent(s) sujvant(s) pour qu'ils 
poursuive(nt) la procedure dc ccite demande de brevet et 
traite(nt) toute affaire s'y rapportant ayec rOffice des brevets et 
des marques: (mentionner le nom et le numero 
d 'enregistrement). / ^ 


Adresser toute correspondance a: - 


Adresser tout appel t616phonique a: 
(nom et nume'ro de xiliphone) 


POWER OF ATTORNEY: As a named inventor, I hereby 
appoint the following attorney® and/or agent(s) to prosecute this 
application and transact all business in the Patent and Trademark 
Office connected therewith: (list name and registration number) 

MILES & .SIQCKBRlDSBLJk C - 
Sn1f-fe-500i 175Xjgii macle Drive 

Send Correspondence to: 


V.AvrarA T. TTrmnVacki T 70^/ 903-9000 or 
Direct Telephone Calls to: 703/610-8627 
(name and telephone number) 


Wlonx complet de l'unique ou premier inventeur 

Full name of sole or first inventor 

f Signature de rinvemeur ^A^y Date^^ft^^ 

Inventor's signature Date 

J Domicile : , 

!L France ([_/ 

Residence 

nationality 

2^ French 

Citizenship 

GXdresse postale 8 Allee du Mail, 

Q 7834(1 'LE§ dTAY^S-'-SOTTS ROTS 

Post Office Address 

.JENSEN - Thomas 


Nom complet du second co-inventeurje cas cch£anl 

Full name of second ioint inventor; if any 

'^nature du second invefi^^^^- Date 

Second Inventor's signature Date 

Domicile France f ^ 

Residence 

Nationality ^ . , 

Danxsh 

Citizenship 

Adresse postale IRISA/INRIA, Campus 

Post Office Address 

35042 REiQSES C/RPEX 



(Fournir les rntaes renseignements et la si gnature de tout co- 
inventeur supplementaire,) 


(Supply similar information and signature for third and 
subsequent joint inventors 0 
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French Language Declaration 


Nom complet du troisieme co-inventeur, le cas echeant 

iMDEL 



Full name of third joint Inventor, if any 


Sfgnature^eTfn ve rrte u r \ 


Date 


Third Inventor's signature 


Date 


Domicile 


France 


PLY' 


Residence 


Nationality 


French 


Citizenship 


Adresse Postale 


IRISA/INRIA, Campus 


Post Office Address 


Universitaire de Beaulieu 
35Q'i 2 RENNEg^fiEBEX 


Nom complet du quatrieme co-inventeur, le cas echeant 
jjLwAIER Danie 


Full name of fourth joint inventor, if any 


Signature de I'invel 


Domicile 



Date 


Fourth Inventor's signature 


France 


Residence 


Date 


Nationality 


French 


Citizenship 


Adresse Postale 


IRISA/INRIA, Campus 


Post Office Address 


Universitaire de Beaulieu 
1 3^042 HFjfflES CEPEX 


l j Nom complet du cinquieme co-inventeur, le cas echeant 

sUpDSEY Ewen._ 

Full name of fifth joint inventor, if any 

Signature de I'inventeur Date 

Fifth Inventor's signature Date 

Domicile 
/ France 

Residence 

• ■ Nationality n i 
;f Fronc-fr- Sc^V^h 

Citizenship 

; Adresse Postale IRIS A/INRIA Campus 

Post Office Address 

Universitaire de Beaulieu N 

^HA? PTTATATTTQ rVDV.Y /l/^V' 



Nom complet du sixieme co-inventeur, le cas echeant 

Full name of sixth joint inventor, if any 

Signature de I'inventeur Date 

Sixth Inventor's signature Date 

Domicile 

Residence 

Nationality 

Citizenship 

Adresse Postale 

Post Office Address 




(Fournir les memes renseignements et la signature de tout (Supply similar information and signature for third and sub- 
co-inventeur supplemental.) sequent joint inventors.) 
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